|HELP! Possible 302 hijack for client site||designcouch||7/6/12 7:07 AM|
My client's site has been the victim of a possible 302 hijack. Searching for "Frederick Living" brings up their results (www.frederick-mennonite.org) but when the links are clicked, pages from the bee.edns.biz domain are shown. This is an unrelated site, and contains spam targeted at the market that my client's site is focused on (retirees). PLEASE HELP! I am in the middle of coding a new site for them, and need this rectified so that Google will index the new site when it launches.
|Re: HELP! Possible 302 hijack for client site||kravman85||7/7/12 9:09 AM|
I'm having the exact same problem as well. I'm going to try refreshing/flushing dns, new primary domain, then if all else fails contacting the hosting company. Remember to use best practices and I typically ban any out of country IP address.
|Re: HELP! Possible 302 hijack for client site||webado||7/7/12 9:28 AM|
Actually it's not hijacked.
|Re: HELP! Possible 302 hijack for client site||designcouch||7/7/12 10:18 AM|
Unless the site hack is dependent on the user arriving from a search engine, this is not the case, as navigating directly to their site doesn't result in a redirect.
|Re: HELP! Possible 302 hijack for client site||webado||7/7/12 10:29 AM|
|Re: HELP! Possible 302 hijack for client site||designcouch||7/9/12 6:47 AM|
|Re: HELP! Possible 302 hijack for client site||redleg-redleg||7/9/12 6:53 AM|
Check your site for some obfuscated php code, a line that starts out like this
the string of seemingly random characters will be pretty long. Start with your homepage the files includes/defines.php and /configuration.php are also possibilities.
|Re: HELP! Possible 302 hijack for client site||designcouch||7/9/12 6:58 AM|
That line of code appears to be in the index.php file of my site. Should deleting it solve the issue?
|Re: HELP! Possible 302 hijack for client site||redleg-redleg||7/9/12 7:19 AM|
Yes, you need to remove that line. Just to be sure here is the entire line
Also unfortunately with this hack that line of code is placed in multiple files on the site so you will need to check any files named index.php and the core files includes/defines.php and /configuration.php If present it will be the same line in all the files.
|Re: HELP! Possible 302 hijack for client site||designcouch||7/9/12 7:36 AM|
Yeah - I'd started looking into everything on the site, and it appears that most .php files are affected. It looks like I have a long day ahead of me deleting and re-saving files. In your experience, would re-installing Joomla be a viable solution?
|Re: HELP! Possible 302 hijack for client site||redleg-redleg||7/9/12 7:42 AM|
If you have a lot of individual files to clean up then it would probably end up being faster in the long run to re-install Joomla.
|Re: HELP! Possible 302 hijack for client site||designcouch||7/10/12 9:33 AM|
I have re-installed Joomla AND restored the site from a backup from last year. All of the base64 code that was inserted is gone. However, search engines are still forwarding the site to the spam pages. Do you have any thoughts? Does it just take a while for my changes to propagate? I was under the impression that the results should be instant.
|Re: HELP! Possible 302 hijack for client site||designcouch||7/10/12 9:56 AM|
I have also done a basic process inspection when clicking on the link from Google. This confirms that the hack is a 302 redirect, as initially suspected. I have included a screenshot of this process - note the status on the very top entry (the "frederick-mennonite.org" url).
|Re: HELP! Possible 302 hijack for client site||redleg-redleg||7/10/12 11:05 AM|
Unfortunately there is still something wrong, a lingering hack somewhere that did not get overwritten. There is a listing for a simple script at
You copy and paste the script into a file then upload it to your server then open it in a browser. The script will scan your files for any occurrences of the string base64 and echo the path/filename to the browser. You might try running that and see if it finds anything.
|Re: HELP! Possible 302 hijack for client site||designcouch||7/10/12 12:29 PM|
Thanks Red Leg - that allowed me to locate the rest. Will update on whether or not it was successful.
|Re: HELP! Possible 302 hijack for client site||designcouch||7/10/12 1:34 PM|
Final update - consider this issue closed. Red Leg's script helped me locate the last few files. Search results are now functioning just as they should. Thanks all!